41 lines
1.6 KiB
Markdown
41 lines
1.6 KiB
Markdown
The webapp is a web server that displays a shiny interface.
|
|
|
|
## security
|
|
|
|
* Listen only to localhost. **done**
|
|
* Instruct the user's web browser to open an url that contains a secret
|
|
token. This guards against other users on the same system. **done**
|
|
(I would like to avoid passwords or other authentication methods,
|
|
it's your local system.)
|
|
* Don't pass the url with secret token directly to the web browser,
|
|
as that exposes it to `ps`. Instead, write a html file only the user can read,
|
|
that redirects to the webapp. **done**
|
|
* Alternative for Linux at least would be to write a small program using
|
|
GTK+ Webkit, that runs the webapp, and can know what user ran it, avoiding
|
|
needing authentication.
|
|
|
|
## interface
|
|
|
|
* list of files uploading and downloading
|
|
* progress bars for each file
|
|
* drag and drop to reorder
|
|
* cancel and pause
|
|
* keep it usable w/o javascript, and accessible to blind, etc
|
|
|
|
## other features
|
|
|
|
* there could be a UI to export a file, which would make it be served up
|
|
over http by the web app
|
|
* Display any relevant warning messages. One is the `inotify max_user_watches`
|
|
exceeded message. Need to lift such messages into DaemonStatus
|
|
so the WebApp can include them in its rendering of DaemonStatus.
|
|
|
|
## implementation
|
|
|
|
* perhaps define a custom `errorHandler`, which could avoid the potential
|
|
of leaking auth tokens on error pages. Or make the test suite test for
|
|
leakage.
|
|
* possibly lose the ugly auth= token past the first page,
|
|
and use a client-side session. It could be encrypted using the token
|
|
as the `encryptKey`. Note: Would need to set the session duration
|
|
to infinite (how?)
|